#jinja2: lstrip_blocks: "True", trim_blocks: "True" #!/usr/sbin/nft -f # {{ ansible_managed }} {% set globalmerged = nft_global_default_rules.copy() %} {% set _ = globalmerged.update(nft_global_rules) %} {% set _ = globalmerged.update(nft_global_group_rules) %} {% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%} {% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %} {% endif %} {% set _ = globalmerged.update(nft_global_host_rules) %} # clean flush ruleset include "{{ nft_define_conf_path }}" table inet filter { chain global { {% for group, rules in globalmerged|dictsort %} # {{ group }} {% if not rules %} # (none) {% endif %} {% for rule in rules %} {{ rule }} {% endfor %} {% endfor %} } include "{{ nft_set_conf_path }}" include "{{ nft_input_conf_path }}" include "{{ nft_output_conf_path }}" {% if nft_custom_includes | default() %} {% if nft_custom_includes is string %} include "{{ nft_custom_includes }}" {% elif nft_custom_includes is iterable and (nft_custom_includes is not string and nft_custom_includes is not mapping) %} {% for include in nft_custom_includes %} include "{{ include }}" {% endfor %} {% endif %} {% endif %} } {% if nft__nat_table_manage %} # Additionnal table for Network Address Translation (NAT) table ip nat { include "{{ nft_set_conf_path }}" include "{{ nft__nat_prerouting_conf_path }}" include "{{ nft__nat_postrouting_conf_path }}" } {% endif %} {% if nft__custom_content|d() %} # Custom content from ipr-cnrs.nftables {{ nft__custom_content }} {% endif %}